July 9, 2026 Stories worth reading. Perspectives worth sharing.
Entra ID On-Premises App Publishing: Enumeration Updates, Sensor Integration, and What Admins Must Do Now
Entra ID

Entra ID On-Premises App Publishing: Enumeration Updates, Sensor Integration, and What Admins Must Do Now

Mo Wasay July 9, 2026 4 min read
Entra ID On-Premises App Publishing: Enumeration Updates, Sensor Integration, and What Admins Must Do Now

WHAT JUST CHANGED

Effective June 2024, Microsoft has rolled out a series of updates to Entra ID’s on-premises app publishing schema (currently in Public Preview). These changes impact tenants using Hybrid Application Proxy and related Graph API integrations:

  • Removed privateAccess member from onPremisesPublishingType enumeration.
  • Removed servicePrincipalName member from privateNetworkDestinationType enumeration.
  • Added sensorStatus enumeration type — tracks health/status of on-premises sensors.
  • Added sensors relationship to the onPremisesPublishingProfile resource.
  • Added new privateAccessSensor resource.

These changes are available in Microsoft Graph Beta and will roll into GA later in 2024. Affected tenants are those leveraging Hybrid App Proxy, Conditional Access for on-prem apps, or custom integrations with the onPremisesPublishingProfile resource.

WHO’S AFFECTED

  • Tenants using Hybrid Application Proxy to publish on-premises applications.
  • Admins managing onPremisesPublishingProfile via Microsoft Graph API (especially those automating deployments or reporting).
  • All environments with private network app publishing scenarios — including those with custom workflows, legacy enumeration references, or sensor-based health monitoring.

WHY THIS DIRECTION IS BETTER

These changes reflect Microsoft’s drive toward more robust, granular, and modern management for on-premises app publishing:

  • Removal of legacy enumeration members (privateAccess, servicePrincipalName) eliminates ambiguity and improves schema clarity for API consumers.
  • Introduction of sensor relationships and statuses gives admins granular visibility into app proxy health, enabling proactive troubleshooting vs. legacy one-size-fits-all status.
  • Alignment with competing IdP solutions: Azure AD/Entra ID now rivals Okta, Ping, and others in offering integrated, sensor-based health reporting for hybrid app access.
  • Simplifies code and automation: Scripted workflows won’t break on deprecated enum members; new sensor resources provide actionable telemetry.

WHAT’S NEXT ON THE ROADMAP

  • GA rollout of sensor resources in Microsoft Graph, with full portal integration and alerting — expected H2 2024.
  • Conditional Access for on-prem apps will soon support sensor-based policies (e.g., block access if sensor unhealthy).
  • Expanded lifecycle management for sensors: automatic registration, health-based retirement, and richer analytics.
  • API schema changes: Microsoft is deprecating older Graph endpoints for Hybrid App Proxy in favor of new, sensor-enabled endpoints.
  • Unified admin experience: Expect improved navigation in Entra admin center for hybrid app publishing, including sensor dashboards.

ADJACENT ENTRA ID CHANGES TO KNOW

  • Recent Conditional Access updates: New location-based policies for published on-prem apps.
  • Application Proxy certificate lifecycle automation: New PowerShell and Graph support for certificate rotation and expiry alerts.
  • External Identities pricing changes — guest app access now billed differently; review your published app guest permissions.

WHAT TO DO: STEP-BY-STEP ADMIN ACTIONS

  1. Audit your published applications for deprecated enumeration usage (privateAccess, servicePrincipalName).
  2. Update automation scripts to use new sensor resources and enumeration types.
  3. Review Conditional Access policies for hybrid apps — prepare for sensor-based targeting.
  4. Monitor sensor health using new Graph endpoints.
  5. Document and inform app owners of upcoming schema requirements.

CHECK IT YOURSELF: MODERN POWERSHELL

Audit published app profiles, enumerate sensors, and report any deprecated enum usage:

# Requires Microsoft.Graph.Applications and Microsoft.Graph.Identity.SignIns modules
Connect-MgGraph -Scopes 'Application.Read.All', 'OnPremisesPublishingProfile.Read.All'

# List all on-premises publishing profiles
$profiles = Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/onPremisesPublishingProfiles' | Select-Object -ExpandProperty value

foreach ($profile in $profiles) {
  # Check for deprecated enums
  $deprecatedType = $null
  if ($profile.onPremisesPublishingType -eq 'privateAccess') {
    $deprecatedType = 'onPremisesPublishingType:privateAccess'
  }
  $deprecatedDest = $null
  if ($profile.privateNetworkDestinationType -eq 'servicePrincipalName') {
    $deprecatedDest = 'privateNetworkDestinationType:servicePrincipalName'
  }
  
  # List sensors for each profile
  try {
    $sensorUri = "https://graph.microsoft.com/beta/onPremisesPublishingProfiles/$($profile.id)/sensors"
    $sensors = Invoke-MgGraphRequest -Method GET -Uri $sensorUri | Select-Object -ExpandProperty value
  } catch {
    $sensors = @()
    Write-Warning "Failed to retrieve sensors for profile $($profile.displayName): $_"
  }

  Write-Output "Profile: $($profile.displayName)"
  if ($deprecatedType) { Write-Output "  Deprecated: $deprecatedType" }
  if ($deprecatedDest) { Write-Output "  Deprecated: $deprecatedDest" }
  Write-Output "  Sensor count: $($sensors.Count)"
  foreach ($sensor in $sensors) {
    Write-Output "    Sensor: $($sensor.displayName) Status: $($sensor.sensorStatus)"
  }
}

Note: This script audits all on-premises publishing profiles for deprecated enum usage and lists sensor status. It handles errors gracefully and supports pagination via manual loop (adjust for large tenants).

PORTAL PATH: ENTRA ADMIN CENTER

  • Entra admin center > Applications > Application Proxy > Published apps: Inspect app profiles and sensor health.
  • Settings > Hybrid Application Proxy > Sensors: View sensor inventory and status (when available).
  • Conditional Access > Policies > Published Apps: Prepare for sensor-based conditions.

BOTTOM LINE

  • Urgent: Audit your published apps for deprecated enum usage and update scripts.
  • Plan: Prepare for sensor-based health and Conditional Access in hybrid app scenarios.
  • Monitor: Use new Graph endpoints and portal views for sensor status and app health.
  • Stay ahead: Track upcoming roadmap items for hybrid app publishing and automation.

Microsoft is modernizing hybrid app publishing in Entra ID. Take action now to avoid breaking changes, ensure visibility, and leverage new sensor-based health for secure, resilient access.